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Abstract 

Randomness extraction involves the processing of purely classical in- 
formation and is therefore usually studied in the framework of classical 
probability theory. However, such a classical treatment is generally too 
restrictive for applications, where side information about the values taken 
by classical random variables may be represented by the state of a quan- 
tum system. This is particularly relevant in the context of cryptography, 
where an adversary may make use of quantum devices. Here, we show 
that the well known construction paradigm for extractors proposed by 
Trevisan is sound in the presence of quantum side information. 

We exploit the modularity of this paradigm to give several concrete 
extractor constructions, which, e.g, extract all the conditional (smooth) 
min-entropy of the source using a seed of length poly- logarithmic in the 
input, or only require the seed to be weakly random. 



1 Introduction 

Randomness extraction is the art of generating (almost) uniform randomness 
from any weakly random source X. More precisely, a randomness extractor 
(or, simply extractor) is a function Ext that takes as input X together with a 
uniformly distributed (and usually short) string Y , called the seed, and outputs 
a string Z . One then requires Z to be almost uniformly distributed whenever 
the min-entropy of X is larger than some threshold k, i.e., 

H m i n (X) > k ==>■ Z := Ext(X,Y) statistically close to uniform. (1) 
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The min-entropy of a random variable X is directly related to the probability 
of correctly guessing the value of X using an optimal strategy: 2~ Hiain ( x ) = 



max x Px(x). Hence Criterion (1) can be interpreted operationally: if the max- 
imum probability of successfully guessing the input of the extractor, X, is suf- 
ficiently low then its output is statistically close to uniform. 

In most applications, such as privacy amplification BBR88 ( BBCM95 , or 
simply when applying two extractors in successio to the same input X, there 
is a notion of side information, which describes the information about the input 
which is contained in the environment, or accessible to an adversary. Notions 
of randomness such as the guessing probability, min-entropy or the uniformity 
of a random variable naturally always depend on the side information relative 
to which they are defined, and in particular one would like the output of the 
extractor to be uniform with respect to the side information. Hence we may 



make this requirement explicit in our formulation of Criterion (1) by denoting 
by E all side information with respect to which the extractor's output should 
be uniform: 



H min (X\E) > k 



Ext(X, Y) statistically close to uniform (2) 
conditioned on E, 



where H m - ln (X\E) is the conditional min-entropy, formally defined in lScction 2.21 
This conditioning naturally extends the operational interpretation of the min- 
entropy to scenarios with side information, i.e., 2~ H ^ X \ E ) is the maximum 
probability of correctly guessing X, given access to side information E [KRS09 . 

Interestingly, the relationship between the two Criteria (1) and (2) depends 
on the physical nature of the side information E, i.e., whether E is represented 
by the state of a classical or a quantum system. In the case of purely classical side 
information, E may be modeled as a random variable and it is known that the 
two criteria are essentially equivalent fsec lLcmma 3.31 for a precise statement). 



But in the general case where E is a quantum system, Criterion (2) is strictly 
stronger than (1) it was shown in GKK + 07] that there exist extractors that 



fulfill |(1)| but for which [(2)| fails (see also |KR07] for a discussion). 

Since our world is inherently non-classical, it is of particular importance 



that |(2)| rather than the weaker Criterion (1) be taken as the relevant criterion 



for the definition of extractors. For example, in the context of cryptography, one 
typically uses extractors to generate secret keys, i.e., randomness that is uniform 
from an adversary's point of view. Even if the extractor itself is classical, nothing 
can prevent an adversary from storing information £ in a quantum system, so 



Criterion (1) does not imply security. Randomness recycling is another simple 
example involving quantum side information. If we run a (simulation of) a 
quantum system E using randomness X, approximately H m i n (X\E) bits of X 
can be reused. Applying a function Ext which has been shown to fulfill (1) but 
not |(2)| could result in an output Z which is still correlated to the system E. 

Moreover, since it is known that the smooth conditional min-entropy pre- 
cisely characterizes the optimal amount of uniform randomness that can be 
extracted from X while being independent from E Rcn05 , one may argue that 
Criterion (2) is indeed the correct definition for randomness extraction. 



1 When applying two extractors in succession to the same input, with the goal that the two 
outputs are jointly uniform, the output of the first extractor needs to be considered as side 
information when analyzing the second extractor. 
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In particular, we would like to point out that the popular bounded storage 
model — in which the entropy of the source H m i n (X\E) is lower-bounded by 
H m i n (X) — Hq(E) and H (E) denotes the number of qubits needed to store E 
- is strictly weaker: there are sources X and nontrivial side information E 
such that H m i n (X) — Hq(E) -C -ffmin^l-E^H and extractors which are sound 
for any input with H m i n (X) — Hq(E) > k, but cannot be applied to all sources 
with H m i n (X\E) > k. An extractor which has only been proven sound in the 
bounded storage model can thus only extract H m - ln (X) — Hq(E) bits of uniform 
randomness instead of the optimal H^ lin (X\E) bits. For the same reason in the 
purely classical case, no recent work defines classical extractors for randomness 
sources with side information stored in bounded classical memories 

Furthermore, in applications where extractors are used, the increased gen- 
erality of the conditional min-entropy over the bounded storage model is often 
what is needed. For example in quantum key distribution, where extractors are 
used for privacy amplification [Rcn05 , it is generally impossible to bound the 
adversary's memory size. 



Related results. In the standard literature on randomness extraction, con- 



structions of extractors are usually shown to fulfill Criterion (1) for certain 
values of the threshold k (see |Zuc 90 as well as [Sha02 for an overview) . How- 



ever, only a few constructions have been shown to fulfill Criterion (2) with 
arbitrary quantum side information E. Among them is two-universal hash- 
ing [Ren05 ( TSSR10] as well as constructions based on the sample-and-hash 
approach |KR07j . 

Recently, Ta-Shma [TS09 studied Trevisan's extractor construction |Tre01] 
in the bounded quantum storage model. Although his proof requires the out- 
put length to be much smaller than the min-entropy of the original data, the 
result was a breakthrough because it, for the first time, implied the existence 
of "quantum-proof" extractors requiring only short seeds (logarithmic in the 
input length). More recently, two of the present authors jDVlO] were able to 
improve the output length that Trevisan's extractor could provably extract in 
the presence of a quantum bounded-storage adversary, bringing it close to what 
is known for the case of classical adversaries. However, both these results are 
proved in the bounded quantum storage model, which, as discussed previously, 
only allows the extractor to output at most H m i n (X) — Ho(E) bits. This expres- 
sion can in general be arbitrarily smaller than H m { n (X\E), and in some cases 
may even become (or negative) for n-bit sources for which it is possible to 
extract f2(n) bits of randomnesso 

Subsequent to this work, Ben-Aroya and Ta-Shma [BATS10 showed how 
two versions of Trevisan's extractor, shown quantum-proof in this paper, can be 
combined to extract a constant fraction of the min-entropy of an n-bit source 
with a seed of length O(logn), when H m - ln (X\E) > n/2. This is better than the 



2 This can easily be seen by considering the following example. Let X be uniformly dis- 
tributed on {0, 1}™ and E be X with each bit flipped with constant probability e < 1/2. Then 
H min (X\E) = 6(n), but H min (X) - H (E) = 0. 

3 Restricting the class of randomness sources further than by bounding their min-entropy 
can have advantages, e.g., if we consider only bit-fixing sources, or sources generated by a 
random walk on a Markov chain, then the extractor can be deterministic. (See !Sha02l for a 
brief overview of restricted families of sources studied in the literature.) There is however no 
known advantage (e.g., in terms of seed length) in considering only input sources with side 
information stored in memory of bounded size, whether it is classical or quantum memory. 



3 



straightforward application of Trevisan's extractor analyzed here, which requires 
0(log 2 n) bits of seed for the same output size (but works for any H min (X\E)). 

Our results. In this work, we show that the performance of Trevisan's extrac- 
tor does not suffer in the presence of quantum side information. More precisely, 
we show that the output length of the extractor can be close to the optimal con- 
ditional min-entropy H m - ln {X\E) (see |Corollary 5.4| for the exact parameters). 
This is the first proof of security of an extractor with poly-logarithmic seed 



meeting Criterion (2) in the presence of arbitrary quantum side information. 

More generally, we prove security of a whole class of extractors. It has 
been observed, by, e.g., Lu and Vadhan |Lu04i IVad04] . that Trevisan's extrac- 
tor [Tre Ol (and variations of it, such as |RRV02| ) is a concatenation of the 
outputs of a one-bit extractor with different pseudo-random seeds. Since the 
proof of the extractor property is independent of the type of the underlying one- 
bit extractor (and to some extent the construction of the pseudo-random seeds), 
our result is valid for a generic scheme (defined in ISection 4.11 Definition 4.21) . 
We find that the performance of this generic scheme in the context of quantum 
side information is roughly equivalent to the (known) case of purely classical 
side information (jSection 4.21 ITheorem 4.61) . 

Our argument follows in spirit the work of De and Vidick [DVlOj . Techni- 
cally, the proof is essentially a concatenation of the two following ideas. 

• In the first part of the original proof of Trevisan ITreOlj , it is shown that 
the ability to distinguish the extractor's output from uniform implies the 
ability to distinguish the output of the underlying one-bit extractor from 
uniform (a list-decodable code in Trevisan's original scheme). Ta-Shma 
has argued that this claim is still true in the context of quantum side 
information [TS09 , by treating the adversary as an oracle and measuring 
its memory size by counting the queries to the oracle. We extend this result 
to the case of arbitrary quantum side information, where the entropy of 
the source is measured with the conditional min-entropy, and show that it 
still holds even if the seed of the underlying one-bit extractor is not fully 
uniform. 

• This reduces the problem to proving that the one-bit extractor used in 
the construction is quantum-proof. However, because for one-bit extrac- 



tors, the more general Criterion (2) is essentially equivalent to the usual 
Criterion (1)| as shown by Konig and Terhal |KT08| . the claim follows 



from known classical results on one-bit extractors with only a small loss 
in the error parameter. 

This proof structure results in a very modular extractor construction pa- 
radigm, which allows arbitrary one-bit extractors and pseudo-random seeds to 
be "plugged in," producing different final constructions, optimized for different 
needs, e.g., maximizing the output length, minimizing the seed, or even using 
a non-uniform seed if the underlying one-bit extractor also uses a non-uniform 
seed. In ITablcTl we give a brief overview of the final constructions proposed. 

Organization of the paper. We first define the necessary technical tools 
in ISection 21 in particular the conditional min-entropy. In ISection "3l we give 
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Min-entropy 


Output length 


Seed length 


Note 


ICor. 5.41 


any k 


m = k — 4 log 1 je 


d = (9(log 3 n) 


optimized 
output length 


ICor. 5.61 


k = n a 


m = n Q ~ 7 


d = 0(log n) 


optimized 
seed length 


ICor. 5.111 


k = an 


m = (a — j)n 


d = 0(log 2 n) 


local extractor 


ICor. 5.141 


k = n a 


m — n a 1 


d = O(logn) 


seed with min- 
entropy fid 



Table 1: Plugging various weak designs and 1-bit extractors in Trevisan's con- 
struction, we obtain these concrete extractors. Here n is the input length, e = 
poly(l/n) the error, a and 7 are arbitrary constants such that < 7 < a < 1, 
and I < (3 < 1 is a specific constant. 



formal definitions of extractors and discuss briefly how much randomness can 
be extracted from a given source. ISection 4l contains the description of Tre- 
visan's extractor construction paradigm and a proof that it is still sound in the 
presence of quantum side information. Then in ISection "5l we plug in various 
one-bit extractors and pseudo-random seed constructions, resulting in, amongst 
others, a construction which is nearly optimal in the amount of randomness 
extracted in lScction 5.11 (which is identical to the best known bound in the clas- 
sical case |RRV02j for Trevisan's extractor), and a construction which is still 
sound if there is a small linear entropy loss in the seed in ISection 5.41 Finally, 
in ISection 61 we mention a few classical results which modify and improve Tre- 
visan's extractor, but for which the correctness in the presence of quantum side 
information does not seem to follow immediately from this work. 

2 Technical preliminaries 
2.1 Notation 

We write [N] for the set of integers {1, . . . , N}. If x € {0, 1}" is a string of 
length n, i 6 [n] an integer, and S C [n] a set of integers, we write Xi for the i th 
bit of x, and xs for the string formed by the bits of x at the positions given by 
the elements of S. 

% always denotes a finite-dimensional Hilbert space. We denote by V^H) 
the set of positive semi-definite operators on H. We define the set of normalized 
quantum states S(W) := {p E V(H) ■ tip = 1} and the set of sub-normalized 
quantum states S<(H) := {p G V(H) : trp < 1}. 

We write %ab — Ha ®Hb for a bipartite quantum system and pab € 
V(Hab) for a bipartite quantum state, pa = ^b{pab) and ps = ^a(pab) 
denote the corresponding reduced density operators. 

If a classical random variable X takes the value x € X with probability p Xl 
it can be represented by the state px — Yl x exPx\ x )( x \> where {|a;)} :c6 ^ is an 
orthonorma! basis of a Hilbert space Hx- If the classical system X is part of 
a composite system XB, any state of that composite system can be written as 
Pxb = T, x exP*\ x )i x \ ® Pb- 
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|| • || t r denotes the trace norm and is defined by ||A|| tr := tr V 'A^A. 



2.2 Min-entropy 

To measure how much randomness a source contains and can be extracted, we 
need to use the smooth conditional min-entropy. This entropy measure was first 
defined by Rcnncr [Rcn05; , and represents the optimal measure for randomness 
extraction in the sense that it is always possible to extract that amount of 
almost-uniform randomness from a source, but never more. 

Definition 2.1 (conditional min-entropy). Let pab € S<(Hab)- The min- 
entropy of A conditioned on B is defined as 

Hmin (A\B) :— max {AeR: 2- x t A ® o B > Pab}- 

<tbG5(« b ) 

We will often drop the subscript p when there is no doubt about what un- 
derlying state is meant. 

This definition has a simple operational interpretation when the first system 
is classical, which is the case we consider. Konig et al. [KRS09 showed that for 
a state pxB = Ylxex Px\x){x\ ® p% classical on X, 

H min (X\B) p = - log Pgucss (X\B) p , (3) 

where p gUQSS (X\B) is the maximum probability of guessing X given B, namely 

Pguoss (X\B) := max ( p x tr (E B p x B ) I , 

where the maximum is taken over all POVMs {E B } xe x on B. If the system 
B is empty, then the min-entropy of X reduces to the standard definition, 
iJ m i n (X) = — logmax^g^pa; (sometimes written H^X)). In this case the 
connection to the guessing probability is particularly obvious: when no side 
information is available, the best guess we can make is simply the value x € X 
with highest probability. 

As hinted at the beginning of this section, the min-entropy is not quite 
optimal, in the sense that it is sometimes possible to extract more randomness. 
However, the smooth min-entropy is optimal. This information measure consists 
in maximizing the min-entropy over all sub-normalized states e-close to the 
actual state px b of the system considered. Thus by introducing an extra error 
e, we have a state with potentially much more entropy. (See ISection 3.21 for 
more details.) 

Definition 2.2 (smooth min-entropy). Let e > and pab G S<(Hab), then 
the e -smooth min-entropy of A conditioned on B is defined as 

H e min (A\B) := max H min {A\B)- 

PAB£B e {pAB) 

where B £ (pab) C S< (Hab) is a ball of sub- normalized states of radius e around 
Pab - El 



4 Theoretically any distance measure could be used to define an e-ball. We use the purified 
distance, P(p,a) := yl — F(p, a) 2 , where F(-, ■) is the fidelity, since this measure has some 
advantages over other metrics such as the trace distance. The only propriety of the purified 
distance we need in this work is that it is larger than the trace distance, i.e., P(p,rj) > 
2 ||p — f||tr. We refer to |TCR10| for a formal definition of the purified distance (and fidelity) 
on sub- normalized states and a discussion of its advantages. 
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3 Extractors 



3.1 Extractors, side information, and privacy amplifica- 
tion 

An extractor Ext : {0,1}™ x {0, l} d — > {0,l} m is a function which takes a weak 
source of randomness X and a uniformly random, short seed Y , and produces 
some output ExtpT, Y), which is almost uniform. The extractor is said to be 
strong, if the output is approximately independent from the seed. 

Definition 3.1 (strong extractor). A function Ext : {0, 1}™ x {0, l} d -> {0, l} m 

is a (k,s)-strong extractor with uniform seed, if for all distributions X with 
-Hmin(A) > k and a uniform seed Y, we have0 

1 M M 

2 ||PExt(x,r)r - Pu m ® PY\\ tl . < e, 

where pu m is the fully mixed state on a system of dimension 2 m . 

Using the connection between min-entropy and guessing probability (see 



Eq. (3) I, a (fc,e)-strong extractor can be seen as a function which guarantees 



that if the guessing probability of X is not too high (p guess (X) < 2~ fc ), then it 
produces a random variable which is approximately uniform and independent 
from the seed Y. 

As discussed in the introduction, we consider here a more general situation 
involving side information, denoted by E, which may be represented by the 
state of a quantum system. We then want to find some function Ext such that, 
if the probability of guessing X given E is not too high, Ext can produce a 
random variable Ext(A, Y) which is approximately uniform and independent 
from the seed Y and the side information E. Equivalently, one may think of a 
privacy amplification scenario BBR88, BBCM95 , where E is the information 
available to an adversary and where the goal is to turn weakly secret data X 
into a secret key Ext(A, Y), where the seed Y is assumed to be public. (In 
typical key agreement protocols, the seed is chosen by the legitimate parties 
and exchanged over public channels.) 

The following definition covers the general situation where the side informa- 
tion E may be represented quantum-mcchanically. The case of purely classical 
side information is then formulated as a restriction on the nature of E. 

Definition 3.2 (quantum-proof strong extractor). A function Ext : {0, 1}™ x 

{0, l} d — > {0, l}™ 1 is a quantum-proof (or simply quantum) (k,e)-strong extrac- 
tor with uniform seed, if for all states pxe classical on X with H m i n (X\E) p > k, 
and for a uniform seed Y , we have 



\PExt(X,Y)YE ~ PU m ® PY ® PE\\ tl < £ 



where pjj m is the fully mixed state on a system of dimension 2 m . 

The function Ext is a classical-proof (k, e) -strong extractor with uniform seed 
if the same holds with the system E restricted to classical states. 



5 A more standard classical notation would be i ||Ext(X, Y) oY — U m ° Y\\ < e, where the 
distance metric is the variational distance. However, since classical random variables can be 
represented by quantum states diagonal in the computational basis, and the trace distance 
reduces to the variational distance, we use the quantum notation for compatibility with the 
rest of this work. 



7 



It turns out that if the system E is restricted to classical information about 
X, then this definition is essentially equivalent to the conventional lDefinition 3.11 

Lemma 3.3 ([KT08, Proposition 1]). Any (k,e)-strong extractor is a classical- 
proof (k + log 1/e, 2e)-strong extractor. 

However, if the system E is quantum, this does not necessarily hold. Gavin- 
sky et al. [GKK+07 give an example of a (fc,e)-strong extractor, which breaks 
down in the presence of quantum side information, even when H m i n (X\E) is 
significantly larger than k. 

Remark 3.4. In this section we defined extractors to use a uniform seed, as 
this is the most common way of defining them. Instead one could use a seed 
which is only weakly random, but require it to have a min-cntropy larger than 
a given threshold, H m i n (Y) > s. The seed must still be independent from the 
input and the side information. We redefine extractors formally this way in 
|Appcndix A.l| All the considerations of this section, in particular ILemma 3.31 
and the gap between classical and quantum side-information, also apply if the 
seed is only weakly random. In the following, when we simply talk about a 
strong extractor, without specifying the nature of the seed, we are referring to 
both uniform seeded and weakly random seeded extractors. 

3.2 Extracting more randomness 

Radhakrishnan and Ta-Shma [RTSOO have shown that a (k, e)-strong extractor 
Ext : {0, 1}" x {0, l} d -> {0, l} m will necessarily have 

m < fc-21ogl/e + 0(l). (4) 

However, in some situations we can extract much more randomness than the 
min-entropy. For example, let X be distributed on {0, 1}™ with Pr[A" = xq] 
1 a and for all x ^ x , Pr{X = x] = n (2"-i) • We nave Hmin{X) = logn, 
so using a (logn, l/n)-strong extractor we could obtain at most logn bits of 
randomness. But X is already 1/n-close to uniform, since — Pc/„||tr < h- 

So we already have n bits of nearly uniform randomness, exponentially more 
than by using a (logn, l/n)-strong extractor. 

In the case of quantum extractors, similar examples can be found, e.g., 
in [TCR101 Remark 22]. However, an upper bound on the extractable ran- 
domness can be obtained by replacing the min-entropy by the smooth min- 
entropy ([Definition 2.2ft . More precisely, the total number of e-uniform bits 
that can be extracted in the presence of side information E can never exceed 
H^ in (X\E) |Ren051 Section 5.6]. 

Conversely, the next lemma implies that an extractor which is known to 
extract m bits from any source such that H m i n (X\E) > k can in fact extract 
the same number of bits, albeit with a slightly larger error, from sources which 
only satisfy H^^XlE) > k, a much weaker requirement in some cases. 

Lemma 3.5. //Ext : {0,1}" x {0, l} d -» {0, l}" 1 is a quantum-proof (k,e)- 
strong extractor, then for any state pxe and any e' > with H^ ain (X\E) p > k, 

\ \\PExt(X,Y)YE ~ PU m ® PY ® PE |L < £ + 2e'. 
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Proof. Let pxs be the state e'-close to pxE for which H m i n (X\E) p reaches its 
maximum. Then 

1 M M 

2 ||PExt(x,r)rB - Pu m ® Py ® PE\\ tJ . 

1 ll - ll 1 ll~ ~ll 

< 2 ||PExt(x,Y)y£; — PExt(x,y)F£;|| tr + tj ||PExt(x,Y)y£ — Pc/ m ® py ® pE\\ tr 

1 
2 



+ o WV m ® PY ®PE~ PU m ® PY® PE\\ tl 



1 I,. „ || 

< 2 ||PExt(X,F)rB - P(7 m ®PY ® PE\\ tl . + \\PXE ~ PXE\\ tr 

<e + 2e'. 

In the second inequality above we used (twice) the fact that a trace-preserving 
quantum operation can only decrease the trace distance. And in the last line we 
used the fact that the purified distance — used to measure the distance between 
two states (see lDefinition 2.2|) — is larger than the trace distance. □ 

Remark 3.6. Since a (fc, e)-strong extractor can be applied to any source with 
smooth min-entropy H^^XlE) > k, we can measure the entropy loss of the 
extractor — namely how much entropy was not extracted — with 

A := k — m, 



where m is the size of the output. From Eq. (4) we have that an extractor has 
optimal entropy loss if A ~ 2 log l/e + 0(1). 



4 Constructing ra-bit extractors from one-bit 
extractors and weak designs 

In this section we show how to construct a quantum m-bit extractor from any 
(classical) 1-bit strong extractor. 

This can be seen as a derandomization of a result by Konig and Terhal |KT08] , 
who also extract m bits in the presence of quantum side information by concate- 
nating m times a 1-bit extractor. They however choose a different seed for each 
bit, thus having a seed of total length d = mt, where t is the length of the seed 
of the 1-bit extractor. In the case of classical side information, this derandom- 
ization was done by Trevisan |Tre01) , who shows how to concatenate m times a 
1-bit extractor using only d — poly(£, log m) bits of seedH We combine the weak 
designs from Raz et al. [R RV02] . which they use to improve Trevisan's extrac- 
tor, and a previous observation by two of the authors [DVlOj . that since 1-bit 
extractors were shown to be quantum-proof in |KT08] . Trevisan's extractor is 
also quantum-proof. 

This results in a generic scheme, which can be based on any weak design 
and 1-bit strong extractor. We define it in IScction 4.11 then prove bounds on 
the min-entropy and error in IScction 4.2"! 

6 Trevisan's original paper does not explicitly define his extractor as a pseudo-random 
concatenation of a 1-bit extractor. It has however been noted in, e.g., [Lu04 Vad04], that 
this is basically what Trevisan's extractor does. 
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4.1 Description of Trevisan's construction 

In order to shorten the seed while still outputting m bits, in Trevisan's extractor 
construction paradigm the seed is treated as a string of length d < mt, which is 
then split in m overlapping blocks of t bits, each of which is used as a (different) 
seed for the 1-bit extractor. Let y € {0, l} d be the total seed. To specify the 
seeds for each application of the 1-bit extractor we need m sets Si , • • • , S m C [d] 
of size | Si | = t for all i. The seeds for the different runs of the 1-bit extractor 
are then given by ysi , namely the bits of y at the positions specified by the 
elements of Si . 

The seeds for the different outputs of the 1-bit extractor must however be 
nearly independent. To achieve this, Nisan and Wigderson NW94 proposed to 
minimize the overlap \S% f~l Sj\ between the sets, and Trevisan used this idea in 
his original work [TreOlj . Raz et al. [RRV02 improved this, showing that it is 
sufficient for these sets to meet the conditions of a weak design^ 

Definition 4.1 (weak design, |RRV02[ Definition 5]). Sets Si, ... , S TO C [d] are 
said to form a weak (t,r)- design if 

1. For all i, |S;| = t. 

2. For all i, 2l^ nS *l < rm. 

We can now describe Trevisan's generic extractor construction. 

Definition 4.2 (Trevisan's extractor). For a one-bit extractor C : {0,1}™ x 
{0, 1}* — > {0, 1}, which uses a (not necessarily uniform) seed of length t, and 
for a weak (t, r)-design Si, ... , S m C [d], we define the m-bit extractor Extc : 
{0,1}™ x {0, l} d ^ {0, l}" 1 as 

Ext c (x,y) := C{x,y Sl ) ■ ■ ■ C(x,y Sm ). 

Remark 4.3. The length of the seed of the extractor Extc is d, one of the 
parameters of the weak design, which in turn depends on t, the size of the seed 
of the 1-bit extractor C. In lScction 5l we will give concrete instantiations of weak 
designs and 1-bit extractors, achieving various entropy losses and seed sizes. The 
size of the seed will always be d — poly(logn), if the error is e = poly(l/n). 
For example, to achieve a near optimal entropy loss ([Section 5 . 1 [) . we need 
d = 0(t 2 logm) and t — O(logn), hence d — 0(log 3 n). 

4.2 Analysis 

We now prove that the extractor defined in the previous section is a quantum- 
proof strong extractor. The first step follows the structure of the classical 
proof [TreOll IRRV02] . We show that an adversary holding the side informa- 
tion and who can distinguish the output of the extractor Extc from uniform 
can — given a little extra information — distinguish the output of the un- 
derlying 1-bit extractor C from uniform. This is summed up in the following 
proposition: 

7 The second condition of the weak design was originally denned as X/ti 2'' s j nSi ' < r(m — 
1). We prefer to use the version of HR03 , since it simplifies the notation without changing 
the design constructions. 
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Proposition 4.4. Let X be a classical random variable correlated to some quan- 
tum system E, let Y be a (not necessarily uniform) seed, independent from XE, 
and let 

\\pE x t a (x,Y)E ~ Pu m ® Py ® Pe\\ u > e, (5) 
where Extc is the extractor from \befinition 4-2 . Then there exists a partit- 



ion 



of the seed Y in two substrings V and W , and a classical random variable G, 
such that G has size Hq(G) < rm, where r is one of the parameters of the weak 
design {Definition V 4-> W <-> G form a Markov chainf^ and 

II II e 

\\PC{X,V)VWGE — PUx ® PVWGE\\ t] . > — ■ (6) 



We provide a proof of |Proposition 4.4] in Appendix B.2 where it is restated 
as proposition B~5j l 

For readers familiar with Trevisan's scheme [TrcOl , RRV02 , we briefly sketch 
the correspondence between the variables of [Proposition 44] and quantities ana- 
lyzed in Trevisan's construction. Trevisan's security proof proceeds by assuming 
by contradiction that there exists an adversary, holding E, who can distinguish 



between the output of the extractor and the uniform distribution (Eq. (5) ). Part 
of the seed is then fixed (this corresponds to W in the above statement) and 
some classical advice is taken (this corresponds to G in the above statement) 
to construct another adversary who can distinguish a specific bit of the out- 
put from uniform. But since a specific bit of Trevisan's extractor is just the 
underlying 1-bit extractor applied to a substring of the seed (V in the above 
statement), this new adversary (who holds WGE) can distinguish the output 



of the 1-bit extractor from uniform (Eq. (6) I. 

In the classical case [Proposition 4. 4| would be sufficient to prove the correct- 
ness of Trevisan's scheme, since it shows that if an adversary can distinguish 
Extc from uniform, then he can distinguish C from uniform given a few extra 
advice bits, which contradicts the assumption that C is an extractor^ But 
since our assumption is that the underlying 1-bit extractor is only classical- 
proof, we still need to show that the quantum adversary who can distinguish 
C {X, V) from uniform is not more powerful than a classical adversary, and so 
if he can distinguish the output of C form uniform, so can a classical adversary. 
This has already been done by Konig and Terhal |KT08) . who show that 1-bit 
extractors are quantum-proof. 

Theorem 4.5 ( |KT08I Theorem III.l]). Let C : {0, 1}™ x {0, 1}* -> {0, 1} be 

a (k,e)-strong extractor. Then C is a quantum-proof (k + logl/e, 3y/e)-strong 
extractor^] 

We now need to put [Proposition 4~4| and [Theorem 4.5l together to prove that 
Trevisan's extractor is quantum-proof. The cases of uniform and weak random 



8 Three random variables are said to form a Markov chain X 4-t Y Z if for all x,y,z we 
have Pz\Yx( z \V, x ) = p z\Y(z\y ), °r equivalent^ P Z x\Y (2, x\y) = P z \y (z\y) Px \Y (x\y) ■ 

9 Note that Ta-Shma [TS09] has already implicitly proved that this proposition must hold 
in the presence of quantum side information, by arguing that the adversary can be viewed 
as an oracle. The present statement is a strict generalization of that reasoning, which allows 
conditional min-cntropy as well as non-uniform seeds to be used. 

10 In the classical case, [TrcOl RRV02. still show that an adversary who can distinguish 
C'(X, V) from uniform can reconstruct X with high probability. But this is nothing else than 
proving that C is an extractor. 

11 This result holds whether the seed is uniform or not. 
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seeds differ somewhat in the detaiis. We therefore give two separate proofs for 
these two cases in lSection 4.2.1l and lSection 4.2.21 



4.2.1 Uniform seed 

We show that Trevisan's extractor is a quantum-proof strong extractor with 
uniform seed with the following parameters. 

Theorem 4.6. Let C : {0,1}" x {0,1}* — > {0,1} be a {k,e)-strong extractor 
with uniform seed and Si, ... , S m C [d] a weak (t, r)-design. Then the extractor 
given in \Definition 4-2[ Extc : {0, 1}™ x {0, l} d —> {0, 1}™\ is a quantum-proof 
(k + rm + log 1/e, 3m^/e)- strong extractor. 

Proof. In [Proposition 4.4( if the seed Y is uniform, then V is independent from 
W and hence by the Markov chain property from G as well, so Eq. (6) can be 
rewritten as 

II II £ 

\\PC(X,V)VWGE - PUi ® PV ® PWGE\\ tr > — , 

which corresponds to the exact security criterion of the definition of an extractor. 

Let C be a (fc,e)-strong extractor with uniform seed, and assume that an 
adversary holds a system E such that 

||pExt c (x,Y)Y£; - Pu m ® Py ® PE\\ tI > 3mVe. 

Then by |Proposition 474] and because Y is uniform, we know that there exists 
a classical system G with Hq(G) < rm, and a partition of Y in V and W, such 
that, 

\\PC(X,V)VWGE ~ PUt ® pV® PWGE\\ tr > Sy/e. (7) 

Since C is a (fc, e)-strong extractor, we know from lTheorcm 4751 that we must 
have H min (X\WGE) <k + log 1/e for |Eq. (7)| to hold. Hence by ILemma 5731 
H mia {X\E) = H min (X\WE) < H niin (X \ WGE) + H a (G) < k + rm + log 1/e. □ 



4.2.2 Weak random seed 

We also show that Trevisan's extractor is a quantum-proof strong extractor with 
weak random seed, with the following parameters. 

Theorem 4.7. Let C : {0,1}" x {0,1}* — > {0,1} be a (k,e)-strong extractor 
with an s-bit seed — i.e., the seed needs at least s bits of min-entropy — and 
Si, ... , S m C [d] a weak (t, r)-design. Then the extractor given in \Definition 
Extc* : {0, 1}" x {0, l} d —> {0, l} m , is a quantum-proof (fc + rm+log 1/e, Gm-y/e)- 
strong extractor for any seed with min-entropy d — (t — s — log )• 

The main difference between this proof and that of ITheorem 4.6[ is that 
since the seed Y is not uniform in proposition 4.4| the substring W of the seed 
not used by the 1-bit extractor C is correlated to the seed V of C, and acts as 
classical side information about the seed. To handle this, we show in lLcmma A. 31 
that with probability 1 — e over the values of W, V still contains a lot of min- 
entropy, roughly s' ~ d! , where d! is the length of W and s' the min-entropy of 
Y. And hence an adversary holding WGE can distinguish the output of C from 
uniform, even though the seed has enough min-entropy. 
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Proof of \Theorem 4-7\ Let C be a (k, e)-strong extractor with s bits of min- 
cntropy in the seed, and assume that an adversary holds a system E such that 



||pExt c (x,y)YB - Pu m ® Py ® j0E|| tr > 6mVe- 
Then by |Proposition 4.4| we have 

\\PC(X.V)VWGE - PVi ® PVWGE\ tx > &V^- (8) 

Since the adversary has classical side-information W about the seed V, we 



need an extra step to handle it. ILemma A.3I tells us that from Eq. (8) and 
because by IThcorcm 4.51 C is a quantum (k + log 1/e, 3-y/e)-strong extractor, 
we must have either for some w, H m i n (X\GEW — w) < k + log 1/e and hence 



H min (X\E) = H min (X\EW = w) 

< H min (X\GEW = w)+H (G) <k + rm + log 

or i?niin(^|W^) < s + log jh^, from which we obtain using [Lemma B.ll 

-ffmin (Y) < H min (V\W) + H Q {W) <S + l0g-^+d-t. □ 



5 Concrete constructions 

Depending on what goal has been set — e.g., maximize the output, minimize the 
seed length — different 1-bit extractors and weak designs will be needed. In this 
section we give a few examples of what can be done, by taking various classical 
extractors and designs, and plugging them into IThcorcm 4 .61 for IThcorcm 4~7l) . 
to obtain bounds on the seed size and entropy loss in the presence of quantum 
side information. 

The results are usually given using the O-notation. This is always meant 
with respect to all the free variables, e.g., O(l) is a constant independent of the 
input length n, the output length to, and the error e. Likewise, o(l) goes to 
for both n and to large. 

We first consider the problem of extracting all the min-entropy of the source 
in IScction 5.11 This was achieved in the classical case by Raz et al. [R RV02| , so 
we use the same 1-bit extractor and weak design as them. 

In lSection 5.2l we give a scheme which uses a seed of length d = 0(log n), but 
can only extract part of the entropy. This is also based on Raz et al. |RRV02j 
in the classical case. 

In ISection 5.31 we combine an extractor and design which are locally com- 
putable (from Vadhan |Vad04| and Hartman and Raz HR03] respectively), to 
produce a quantum TO-bit extractor, such that each bit of the output depends 
on only 0(log(m/e)) bits of the input. 

And finally in ISection 5.41 we use a 1-bit extractor from Raz [Raz05 , which 
only requires a weakly random seed, resulting in a quantum m-bit extractor, 
which also works with a weakly random seed. 

These constructions are summarized in ITablcTI on [page 5| 



13 



5.1 Near optimal entropy loss 

To achieve a near optimal entropy loss we need to combine a 1-bit extractor with 
near optimal entropy loss and a weak (t, l)-design. We use the same extractor 
and design as Raz et al. |RRV02] to do so. 

Lemma 5.1 ( |RRV02l Lemma 170). For every i,raeN there exists a weak 
(t,l)-design Si,...,S m C [d] such that d = t [j^l [log 4m] = 0(t 2 logm). 
Moreover, such a design can be found in time poly (m,d) and space poly(m). 

As 1-bit extractor, Raz et al. |RRV02| (and Trevisan [TreOlj too) used the 
bits of a list-decodable code. We give the parameters here as [Proposition 5.2| 
and refer to |Appendix C| for details on the construction and proof. 

Proposition 5.2. For any e > and n G N there exists a [k, e)-strong extractor 
with uniform seed Ext„ jE : {0, 1}™ x {0, l} d — > {0, 1} with d = 0(log(n/e)) and 
k = 3 log 1/e. 

Plugging this into lThcorcm 4.6l we get a quantum extractor with parameters 
similar to Raz et al. [RRV02j . 

Corollary 5.3. Let C n ,s ■ {0, 1}™ x {0, 1}* -> {0, 1} be the extractor from 
\Proposition 5.2\ with 5 = and let Si, ... , S m C [d] be the weak (t, l)-design 
from \Lemma 5.1\ Then 

Ext : {0, 1}" x {0, l} d -> {0, l} m 

(x,y) i ^ C(x,y Sl ) ■ ■ - C(x,ys m ) 

is a quantum-proof (m + 8 logm + 8 log 1/e + 0(1), e) -strong extractor with uni- 
form seed, with d = 0(log 2 (n/e) logm). 

For e = poly(l/n) the seed has length d — 0(log 3 n). The entropy loss is 
A = 8 logm + 8 log 1/e + 0(1), which means that the input still has this much 
randomness left in it (conditioned on the output). We can extract a bit more by 
now applying a second extractor to the input. For this we will use the extractor 
by Tomamichel et al [TSSR10 , which is a quantum (k' , e')-strong extractor with 
seed length d' = <9(m' + log n' + log 1/e') and entropy loss A' = 41og l/e' + 0(l), 
where n' and m' are the input and output string lengths. Since we will use it 
for m! = 8 log m + 4 log 1/e' + 0(1) , we immediately get the following corollary 
from ILcmma A. 41 

Corollary 5.4. By applying the extractors from \Corollary 5.S\ and 'TSSR10, 
Theorem 10] in succession, we get a new function Ext : {0, 1}™ x {0, l} d — > 
{0, l} m , which is a quantum-proof (m + 41ogl/e + O(l), e)- strong extractor 
with uniform seed, with d = 0(log 2 (n/e) logm). 

For e = poly(l/n) the seed has length d — 0(log 3 n). 

The entropy loss is A = 4 log 1/e + 0(1), which is only a factor 2 times 
larger than the optimal entropy loss. By ILcmma 3.51 this extractor can produce 
m = _ff^ in (AT|_E) — 41og 1/e — O(l) bits of randomness with an error 3e. 

12 Hartman and Raz HR03] give a more efficient construction of this lemma, namely in time 
poly(logm,t) and space poly (logm + logt), with the extra minor restriction that m > t logt . 
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5.2 Seed of logarithmic size 

The weak design used in lSection 5.11 requires a seed of length d = 9(t 2 log to), 
where t is the size of the seed of the 1-bit extractor. Since t cannot be less than 
logn, a scheme using this design will always have d — f2(log 2 nlogm). If we 
want to use a seed of size d = O(logn) we need a different weak design. 

Lemma 5.5 ([RRV02, Lemma 15]). For every t,m € N andr > 1, there exists a 
weak (t, r)-de Sl gn S u . . . , S m C [d] such that d = t\^\=o{^). Moreover, 
such a design can be found in time poly(m,<i) and space poly(m). 

For the 1-bit extractor we can use the same as in the previous section, 
[Proposition 5.2| 

Plugging this into lThcorcm 4.6l with logr = Q(^), we get a quantum extrac- 
tor with logarithmic seed length. 

Corollary 5.6. If for any constant < a < 1, the source has min-entropy 
Hmin(X\E) = n a , and the desired error is e = poly(l/n), then using the ex- 
tractor C n ,s '■ {0, 1}" x {0, 1}' — > {0, 1} from \Proposition Ol with S = <^p- and 
the weak (t,r)- design Si, . . . , S m C [d] from [Lemma 5. 5l with r — n 1 for any 
< 7 < a, we have that 

Ext : {0,1}" x {0,l} d ^ {0,l} m 

(x,y) C(x,y Sx )- ■■C(x,y Sm ) 

is a quantum-proof (n 7 m + 81ogm + 81ogl/e + 0(1), e) -strong extractor with 
uniform seed, with d = O log nj . 

Choosing 7 to be a constant results in a seed of length d = O(logrt). The 
output length is m — n Q ~ 7 — o(l) = H m i n (X|i?) 1 ~ « — o(l). Bv lLcmma 3.5l this 
can be increased to m = i?^ in (X|i?) 1_ « — o(l) with an error of 3e. 

5.3 Locally computable extractor 

Another interesting feature of extractors is to be local, that is, the m-bit output 
depends only a small subset of the n input bits. This is useful in, e.g., the 
bounded storage model (see |Mau92[ ILu041 IVad04j for the case of a classical 
adversary and |KR07j for a general quantum treatment), where we assume a 
huge source of random bits, say n, are available, and the adversary's storage is 
bounded by vn for some constant v < 1. Legitimate parties are also assumed 
to have bounded workspace for computation. In particular, for the model to be 
meaningful, the bound is stricter than that on the adversary. So to extract a 
secret key from the large source of randomness, they need an extractor which 
only reads t <C n bits. 

Definition 5.7 (£-local extractor). An extractor Ext : {0,1}™ x {0, l} d -» 
{0, l} m is t-locally computable (or 1-locaV), if for every r € {0, l} d , the function 
x 1 \ Ext (it, r) depends on only £ bits of its input, where the bit locations are 
determined by r. 

Lu |Lu04j modified Trevisan's scheme |Tre011 IRRV02] to use a local list- 
decodable code as 1-bit extractor. Vadhan [Vad04 proposes another construc- 
tion for local extractors, which is optimal up to constant factors. Both these 
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constructions have similar parameters in the case of 1-bit extractors^ We 
state the parameters of Vadhan's construction here and Lu's constructions in 
|Appcndix C| 

Lemma 5.8 f [Vad04[ Theorem 8.5]). For any e > exp (~n/2 0( - lo s ")) , n £ N 
and constant < 7 < 1, there exists an explicit i-local (k,e)-strong extractor 
with uniform seed Ext„ !6i7 : {0,1}" x {0, l} d {0,1} with d — 0(log(n/e)), 
k = jn and £ — 0(log 1/e). 

Since we assume that the available memory is limited, we also want the 
construction of the weak design to be particularly efficient. For this we can use 
a construction by Hartman and Raz [HR03] . 

Lemma 5.9 ( [HR03I Theorem 3]). For every m,t £ N, such that m = n(t lost ) 
and constant r > 1, there exists an explicit weak (t, r)-design Si, . . . , S m C [d], 
where d — 0(t 2 ). Such a design can be found in time poly(logm, t) and space 
poly (log m + logt). 

Remark 5.10. For the extractor from ILcmma 5.8l and an error e = poly(l/n), 
this design requires m = f2 ((logn) loglogn ). If we are interested in a smaller m, 
say m = poly (log n), then we can use the weak design from lLemma 5 .51 with r — 
n 1 . This construction would require time and space poly(logn) = poly(log 1/e). 
The resulting seed would have length only O(logn) instead of 0(log 2 n). 

Plugging this into lThcorcm 4.6l we get a quantum local extractor. 

Corollary 5.11. If for any constant < a < 1, the source has min-entropy 
Hmin{X\E) = an, then using the weak (t,r)- design S±,...,S m C [d] from 

\Lemma 5.91 and the extractor C n .$^ : {0, 1}" x {0, 1}* — > {0, 1} from lLemma 5J£ 

2 

with S — g|^- and any constant 7 < a, we have that 

Ext : {0, 1}" x {0, l} d -> {0, l} m 

(x, y) C(x, y Sl ) • • • C(x, y Sm ) 

is a quantum-proof £ -local ("jn + rm + 21ogm + 21ogl/e + O(l), s) -strong ex- 
tractor with uniform seed, with d = 0(log 2 (n/e)) and £ = 0(m log (m/e)). Fur- 
thermore, each bit of the output depends on only 0(log(m/e)) bits of the input. 

With these parameters the extractor can produce up to m — (a ~ j)n/r — 
0(logl/e) = (H m i n (X\E) — ■yn)/r — O (log 1/e) bits of randomness, with e = 
poly(l/n). By ILcmma 3.51 this can be increased to m = (H^ in (X\E) — 7n)/r — 
0(log 1/e) with an error of 3e. 

5.4 Weak random seed 

Extractors with weak random seeds typically require the seed to have a min- 
entropy linear in its length. IThcorcm 4.71 says that the difference between the 
length and the min-entropy of the seed needed in Trevisan's extractor is roughly 
the same as the difference between the length and min-entropy of the seed of 
the underlying 1-bit extractor. So we will describe in detail how to modify the 

13 If the extractor is used to extract m-bits, then Vadhan's scheme reads less input bits and 
uses a shorter seed than Lu's. 
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construction from lScction 5.21 to use a weakly random seed. As that extractor 
uses a seed of length O(logn), this new construction allows us to preserve the 
linear loss in the min-entropy of the seed. Any other version of Trevisan's 
extractor can be modified in the same way to use a weakly random seed, albeit 
with weaker parameters. 

We will use a result by Raz Raz05 , which allows any extractor which needs 
a uniform seed to be transformed into one which can work with a weakly random 
seed. 

Lemma 5.12 ( Raz05, Theorem 4]). For any (k,s)-strong extractor Ext : 
{0,1}™ x {0,1}* — > {0, l} m with uniform seed, there exists a (k,2e)-strong ex- 
tractor Ext : {0, 1}" x {0, 1}* — > {0, l} m requiring only a seed with min-entropy 
H min (Y) > (I + 0) t', where t! = 8t/p. 



By applying this lemma to the 1-bit extractor given in [Proposition 5.2[ we 
obtain the following 1-bit extractor. 

Corollary 5.13. For any e > and neH there exists a [k, e)-strong extractor 
Ext„ j£ : {0, 1}™ x {0, l} d — > {0, 1} requiring a seed with min-entropy (i + p\ d, 
where d — 0(4 log(n/e)) and k = 31og 1/e + 3. 

Plugging this and the weak design from ILemma 5.51 in ITheorem 4.7[ we get 
the following extractor with weak random seed. 

Corollary 5.14. Let a > be a constant such that the source has min-entropy 
-Hmin(A|_B) = n a , and the desired error is e = poly(l/n). Using the extractor 
C n ^s '■ {0, 1}™ x {0, 1}' — > {0, 1} from Corollary 5.13\ with S = and the weak 



(t, r)-design Si, . . . , S m C [d] from wemma 5.5\ with r = n 1 for any < 7 < a, 
we have that 

Ext : {0,1}™ x {0,l} d ^ {0,l} m 

(x, y) C(x, y Sl ) • • • C(x, y Sm ) 

is a quantum-proof (rCm + 81ogm + 81ogl/e -I- O(l), e) -strong extractor with 
an s-bit weak random seed, where the seed has length d = O (^-j^lognj and 

min-entropy s = ( 1 — - — d, for some constant c F^I 



Choosing (i and 7 to be constants results in a seed of length d = O(logn) 
with a possible entropy-loss linear in d. The output length is the same as in 
ISection 5.21 m = n a ~^ - o(l) = H^niXlE) 1 -^ - o(l). 

If we are interested in extracting all the min-entropy of the source, we can 
combine ILemma 5.121 with the extractor from ISection 5.11 The results in a new 
extractor with seed length d = 0(log 3 n) and seed min-entropy s = d — O(-sfd). 



6 Other variations of Trevisan's scheme 

There exist many results modifying and improving Trevisan's extractor. Some 
of them still follow the "design and 1-bit extractor" pattern — hence our work 

14 If we work out the exact constant, we find that c d/t ss ^ "t „ ■ for e = n~ a . 
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implies that these are immediately quantum-proof with roughly the same pa- 
rameters — e.g., the work of Raz et al. [RRV02 and Lu |Lu04] . which were 
mentioned in ISection SI and correspond to modifications of the design and 1-bit 
extractor respectively. Other results such as R RV021 ITSZ S06. SU05j replace 
the binary list-decoding codes with multivariate codes over a field F. The con- 
nection to 1-bit extractors is not clear anymore, and the security in the presence 
of quantum side information not guaranteed. 

Raz et al. extract a little more randomness than we do in ISection 5.11 
They achieve this by composing (in the sense described in |Appendix A.2[ ) the 
scheme of Corollary 5.3| with an extractor by Srinivasan and Zuckerman [SZ99J , 
which has an optimal entropy loss of A = 21ogl/e + 0(1). In the presence 
of quantum side information this extractor has only been proven to have an 
entropy loss of A = 41ogl/e + 0(1) in [TSSR10 , hence our slightly weaker 
result in |Corollary 5.4| This still leaves room for a small improvement. 

In the case of a logarithmic seed length, Impagliazzo et al. |ISWOO| and Ta- 
Shma et al. [TSUZOfj modify Trevisan's extractor to work for a sub-polynomial 
entropy source, still using a seed of size d = O(logn). While it is unclear 
whether these modifications preserve the "design and 1-bit extractor" structure, 
it is an interesting open problem to analyze them in the context of quantum 
side information. 



Appendices 

A More on extractors 
A.l Weak random seed 

In lSection 3.1l wc defined extractors as functions which take a uniformly random 
seed. This is the most common way of defining them, but not a necessary 
condition. Instead we can consider extractors which use a seed which is only 
weakly random, but with a bounded min-entropy. We extend [Definition 3. II this 
way. 

Definition A.l (strong extractor with weak random seed). A function Ext : 
{0, 1}" x {0, l} d — > {0, l} m is a (k,e)-strong extractor with an s-bit seed, if for 
all distributions X with H m i n (X) > k and any seed Y independent from X with 
H n iin{Y) > s, we have 

1 n n 

2 \\PExt(X,Y)Y ~ PU m ® PY || tr < £, 

where pjj m is the fully mixed state on a system of dimension 2 m . 

If quantum side information about the input is present in a system E, then 
as before, we require the seed and the output to be independent from that 
side- information. 

Definition A. 2 (quantum-proof strong extractor with weak random seed). A 
function Ext : {0, l}"x{0, l} d — > {0, 1}™ is a quantum-proof (k, e)-strong extrac- 
tor with an s-bit seed, if for all states pxe classical on X with H ux i n (X\E) p > k, 



IS 



and for any seed Y independent from XE with H m - m (Y) > s, we have 
1 

2 ||PExt(X,Y)YS - PU m ® RY ® PE\\ tT < £, 

where py m is the fully mixed state on a system of dimension 2 m . 

ILemma 3.31 says that any extractor will work with roughly the same param- 
eters when classical side information about the input X is present. The same 
holds in the case of classical side information Z about the seed Y. 

Lemma A. 3. Let Ext : {0, 1}" x {0, l} d -> {0, 1}™ be a quantum-proof (k,e)- 
strong extractor with an s-bit seed. Then for any classical X , Y and Z , and 
quantum E , such that XE and Y are independent, Y O Z O E form a Markov 
chainl^ H min (Y\Z) > s + logl/e, and for all z £ Z, H min (X\EZ = z) > k, we 
have 

2 \\pExt(x,Y)YZE ~ Pu ® Pyze\\ u < 2e. 
Proof. For any two classical systems Y and Z, we have 
2 -H min (Y\z) = E \ 2 -H min {Y\z=z) 

so by Markov's inequality, 

Pr [H min (Y\Z = z)< H min (Y\Z) - log l/e] < e. 

z^Z 

And since Y <-> Z <-> E 1 form a Markov chain, we have for all z £ Z, 

PYE\Z=z = O PB|Z=z- 

Hence 

1 I, || 

2 ||PExt(x,y)Y£;z — Pv ® Pyez\\ u 

= ^ ^ ^z(z) ||pExt(X,F)F_B|Z=2 - PU ® PYE\Z=z\\ tr 

zez 

= 2 ^ ||pExt(x : y)yEZ=2 - Pu ® Py\z=z <& PB|z= 2 || tr < 2e. □ 

The case of quantum side information correlated to both the input and the 
seed is out of the scope of this work. 



A. 2 Composing extractors 

If an extractor does not have optimal entropy loss, a useful approach to extract 
more entropy is to apply a second extractor to the original input, trying to 
extract the randomness that remains when the output of the first extractor is 
known. This was first proposed in the classical case by Wigderson and Zucker- 
man |WZ99j . and improved by Raz et al. |RRV02j . Konig and Terhal |KT08j 
gave the first quantum version for composing m times quantum 1-bit extractors. 
We slightly generalize the result of Konig and Terhal }KTQ8] to the composition 
of arbitrary quantum extractors. 

15 A ccq state pxYE forms a Markov chain X 4r¥ V «-» E if it can be expressed as pxYE = 
T, x , y p XY(x,y)\x,y)(x,y\ ®p y E . 
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Lemma A.4. Let Exti : {0, 1}" x {0, l} dl -> {0, l} mi and Ext 2 : {0, 1}" x 
{0, l} d2 — » {0, l} m2 be quantum-proof (k, ei)- and (k— mi, £2)- strong extractors. 
Then the composition of the two, namely 

Ext 3 :{0, 1}" x {0, l} dl x {0, l} dl -> {0, l} mi x {0, l}™ 2 
(», J/1,2/2) i-> (Exti(x,j/i),Ext 2 (x,j/2)), 

is a quantum-proof (fc, £1 + £2)-strong extractor. 

Proof. We need to show that for any state px_E with ff m i n (X|_E) > fc, 

1 11 11 

2 ||PExti(X,Yi) Ext 2 (X,Y2)Yi YiE ~ PUi ® P(7 2 ® P*i ® PY" 2 ® PB|| tr < e l + e 2- (9) 



The left-hand side of Eq. (9) can be upper-bounded by 



1 n n 

2 UPExtifX.yOYiE ® PU 2 ® PY 2 - P*7i ® PYi ® P£ ® Pi7 2 ® P^2 || tr 

+ g ||/ , Ext 2 (x,Y 2 )Y 2 Ext 1 (x,y 1 )y 1 £; - Pt/ 2 ® Py 2 ® PExti(x,yi)yiE|| tr ■ (10) 



By the definition of Exti the first term in Eq. (10) is upper-bounded by e%. For 
the second term we use ILemma B.3I and get 

H min (X\ EjAi&YJYlE) > H min (X\Y X E) - # (Exti(X, Yi)) 

= H min {X\E) - H (Exti(X,Yi)) >fc-mi. 



By the definition of Ext 2 the second term in Eq. (10) can then be upper-bounded 



by e%. □ 

B Technical lemmas 
B.l Min-entropy chain rules 

We use the following "chain-rule type" statement about the min-entropy. The 
proofs for the two first can be found in |Ren05j . 

Lemma B.l QRcn05] Lemma 3.1.10]). For any state pabc, 

H min (A\BC) > H mm (AC\B) - H (C), 
where Hq(C) — log rankle)- 

Lemma B.2 (|Rcn05j Lemma 3.1.9]). For any state pabz classical on Z, 

H min (AZ\B) > H min (A\B) . 
Lemma B.3. For any state pabz classical on Z , 

H min (A\BZ) > H mia (A\B) - H (Z), 
where Hq(Z) = logrank(p^). 

Proof. Immediate by combining ILemma B.l I and ILemma B.21 □ 
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B.2 Security reduction 



To show that an adversary who can distinguish the output of Extc (defined 
in IDcfinition 4.21 on |pagc 10[ ) from uniform can also guess the output of the 
extractor C, we first show that such an adversary can guess one of the bits of 
the output of Extc given some extra classical information. This is a quantum 
version of a result by Yao |Yao82] . 

Lemma B.4. Let a player holds a quantum state ps correlated with a classical 
random variable Z on m-bit strings, such that he can distinguish Z from uniform 
with probability greater than e. Then there exists a bit i € [m] such that when 
given the previous i — 1 bits of Z , he can distinguish the i th bit of Z from uniform 
with probability greater than —. In other words, if \\pzb — Pu m ® Ps||tr > £, 
then there exists an i € [m] such t/ia£f] 

^2 Pz\z[i-l])(z[i-l]\ ®Pb~ Pz\ z [t-l])( z [i-l] \ ® Pb 

z i= z i = l 

Proof. The proof uses a hybrid argument. Let 

°» = 2^k[i]' r {i+l,-,m}X z [i]' r {i+l,-,m}| ® Pb- 

z£Z 
rG{0,l} m 

Then 



> 



(11) 



e < Wpzb - pu m ® Pfllltr 

= \Wrn ~ CTolltr 
m 

i=l 

< mmax ||<Tj — o"j_i|| tr . 



By rearranging ||<Tj — o"j_i|| tr we get the lhs of Eq. (11) □ 



We now need to bound the size of this extra information, the "previous i — 1 
bits" , and show that when averaging over all the seeds of Extc , we average 
over all the seeds of C, which means that guessing a bit of the output of Extc 
corresponds to distinguishing the output of C from uniform. For the reader's 
convenience we now restate [Proposition 4.4| and give its proof. 

Proposition B.5. \Proposition Let X be a classical random variable cor- 
related to some quantum system E, let Y be a (not necessarily uniform) seed, 
independent from XE, and let 

\pExt a {X,Y)E ~ PU m ® PY ® PE\\ tl . > £, (12) 



16 To simplify the notation, the statement of this lemma uses the fact that for any binary 
random variable X and quantum system Q, the following equality holds: 



\\PXQ-PU! ®PQ|| tr = ||poPq -Pipg|| tr 
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where Extc is the extractor from \Definition Then there exists a partition 
of the seed Y in two substrings V and W , and a classical random variable G, 
such that G has size Hq(G) < rm, where r is one of the parameters of the weak 
design {Definition V W G form a Markov chain, and 



\PC(X,V)VWGE — PUi ® PVWGE\\ t > 



(13) 



Proof. We apply [Lemma B.4l to Eq. (12) and get that there exists an i e [m] 
such that 



X! Pxiy I c ( x ' ysi ) • • • c ( x > vst- 1 ) , y X C ( X > ysi ) • • • c ( x i vs,- 1 ) , v | ® p x 

x.y 

C(x, VSi )=0 



^2 Pxqy\C(x,y Sl ) ■ •■C(i,i/s,-i),f/)(C(3;,i/s 1 )' • • C(x, ysu-J, y\ ® p a 



x,y 
C(x,y St ) = l 



>-, (14) 



where {p x }xex and {q y } y ey are the probability distributions of X and Y re- 
spectively. 

We split y € {0, l} d in two strings of t = \Si\ and d — t bits, and write 
v '■= ySi and w :— y[d]\s'i- To simplify the notation, we set g(w,x,j,v) :— 
C(x,ys j )- Fix w, x and j, and consider the function g(w,x,j,-) : {0,1}' — > 
{0, 1}. This function only depends on \Sj n Si\ bits of v. So to describe this 
function we need a string of at most 2^ SjnSi ^ bits. And to describe g w ' x (-) := 
g(w, x, 1, •) • • ■ g(w, x, i — 1, •), which is the concatenation of the bits of g(w, x, j, ■) 
for 1 < j < i — 1, we need a string of length at most X)j=i 2l 5jnSi l . So a system 

G containing a description of g w,x has size at most Hq(G) < 2^ SjnSi ^. We 

now rewrite Eq. (14) as 



Pxqv,w\g w ' x (v),v,w)(g w ' x (v),v,w\®p x 



x,v,w 
C(x,v)=0 



Pxq v ,w\g w ' x {v),v,w){g w ' x (v),v,w\ ® p a 



x,v,w 
C(x,v) = l 



> 



By providing a complete description of g" 1 "' 11 instead of its value at the point 



22 



v, we can only increase the trace distance, hence 



E 

x,v,w 
C(x,v)=0 



p x q v , w \g w - x ,v,w)(g w ' x ,v,w\ <g) p x 



E 

x,v,w 
C(x,v) = l 



p x q v ,w\g w ' x , v, w)(g w ' x , v, w\ ® p a 



By rearranging this a little more we finally get 

||pCpf,V)VWG.E — PUt ® PVWGE\\ tT 



> 



> 



where G is a classical system of size Ho(G) < J2 Z j=i 2l^ ns *l, and V W G 
form a Markov chain. By the definition of weak designs, we have for all i G [m], 
^u-i 215,0^1 < rm for SQme r > x. go H {G) < rm. □ 



C List-decodable codes are one-bit extractors 
C.l Construction 

A standard error correcting code guarantees that if the error is small, any string 
can be uniquely decoded. A list-decodable code guarantees that for a larger (but 
bounded) error, any string can be decoded to a list of possible messages. 

Definition C.l (list-decodable code). A code C : {0, 1}" -> {0, 1}" is said 
to be (e, L)-list-decodable if every Hamming ball of relative radius 1/2 — e in 
{0, 1}™ contains at most L codewords. 

Neither Trevisan |Tre01] nor Raz et al. |RRV02] state it explicitly, but both 
papers contain an implicit proof that if C : {0, 1}™ — > {0, 1}" is a (e, L)-list- 
decodable code, then 

Ext : {0, 1}" x [n] -> {0, 1} 

(x,y) i-> C(x) y , 

is a (logL + log l/2e, 2e)-strong extractor. We have rewritten their proof in 
ISection C. 21 for completeness P^l 

There exist list-decodable codes with following parameters. 

Lemma C.2. For every n £ N and S > there is a code C„^ ■ {0, 1}™ — > 
{0,1}™, which is (6,1/ '5 2 ) -list-decodable, with n = poly(n, 1/(5). Furthermore, 
C n _s can be evaluated in time poly(n, 1/5) and n can be assumed to be a power 
o/2. 

For example, Guruswami et al. |GHSZ02"] combine a Reed-Solomon code 
with a Hadamard code, obtaining such a list-decodable code with n = 0(n/S 4 ). 

Such codes require all bits of the input x to be read to compute any single 
bit C[x)i of the output. If we are interested in so-called local codes, we can use 
a construction by Lu |Lu04| . 

17 A slightly more general proof, that approximate list-decodable codes are 1-bit extractors 
can be found in IDV10I Claim 3.7]. 
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Lemma C.3 ( |Lu04[ Corollary 1]). For every n 6 N, < S < 1/m and constant 
< 7 < 1, there is a code C n , 5>7 : {0, 1}™ -> {0, l} fi , which is (6, 2~< n /6 2 ) -list- 
decodable, with n — poly(n, 1/6). Furthermore, for every i <E [n], C rh s.^{x)i is 
the parity of 0(\og(l/md)) bits of x. 

C.2 Proof 

Theorem C.4. Let C : {0, 1}™ -> {0, 1}" be an (e, L)-list-decodable code. Then 
the function 

C : {0, 1}" x [n] -> {0, 1} 



is a (log L + log l/2e, 2e) -strong extractor. 
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To prove this theorem we first show that an adversary who can distinguish 
the bits of C(X) from uniform can construct a string a which is close to C(X) 
on average (over X). Then using the error correcting proprieties of the code C, 
he can reconstruct X. Hence an adversary who can break the extractor must 
have low min-entropy about X . 

Lemma C.5. Let X andY be two independent random variables with alphabets 
{0, 1}™ and [n] respectively. Let Y be uniformly distributed and X be distributed 
such that h\Xy ° Y — U± o Y\ > 5, where U± is uniformly distributed on {0, 1}. 
Then there exists a string a € {0, 1}™ with 



d{X,a)<\- 5 - 



where d(-, ■) is the relative Hamming distance. 



Proof. Define a € {0, 1}" to be the concatenation of the most probable bits of 
X, i.e., a y := argmax fc P Xy (b), where Px y (b) = J2xe{o,i} n Px(x). 

Xy—b 

The average relative Hamming distance between X and a is 



1 - 

E Px(x)d(x,a) = - E p x(x)22\ x v ~ a v 

= E p *(*) 

x,y 

And since \\Xy°Y— U\oY\ > S is equivalent to ^ J2y=x max &e{o,i} p x y ip) > 



n 

a;e{0,l}" xG{0 : l}" V=l 



4 + 5, we have 



2 



E Px{x)d{x,a)<\-5. (15) 



££{0,1}" 



18 This theorem still holds in the presence of classical side information with exactly the same 
parameters. 
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We now wish to lower bound the probability that the average Hamming 
distance is less than 5 — f • Let B := {x : d(x,a) < | — §} be the set of 
values x <E {0, 1}" meeting this requirement. Then the weight of B, w(B) := 
J2xtB Px(x), is the quantity we wish to lower bound. It is at its minimum if all 
x £ B have Hamming distance d(x, a) = 0. In which case the average Hamming 
distance is 

Px(x)d(x,a)>(l-u(B))(±-l). (16) 



Combining Eqs. |(15)| and |(16)| we get 

w(B) > -A- > 5. □ 
l — o 

We are now ready to prove [Theorem G4l 

Proof of \Theorem C4\ We will show that if it is possible to distinguish C'(X, Y) 
from uniform with probability at least 2s, then X must have min-entropy 

H min (X) < logL + log l/2e. 

If I \C'(X, Y) o Y - U x o Y o E\ > 2s, then by ILemma C.5I we know that 
there exists an a € {0, 1}™ such that 



Pr 



d{C{X),a)<\-e 



> 2e, 



where d(-, ■) is the relative Hamming distance. 

This means that with probability at least 2s, X take values x such that 
d(C(x), a) < \ — s. So for these values of X, if we choose one of the codewords 
in the Hamming ball of relative radius \ — £ around a uniformly at random 
as our guess for x, we will have chosen correctly with probability at least 1/L, 
since the Hamming ball contains at most L code words. The total probability 
of guessing X is then at least 2s /L. 



Hence by Eq. (3) H min (X) < logL + log l/2e. □ 
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